[go: up one dir, main page]

WO2009036377A1 - Systèmes et procédés pour un système de gestion de chiffrement basé sur un modèle - Google Patents

Systèmes et procédés pour un système de gestion de chiffrement basé sur un modèle Download PDF

Info

Publication number
WO2009036377A1
WO2009036377A1 PCT/US2008/076297 US2008076297W WO2009036377A1 WO 2009036377 A1 WO2009036377 A1 WO 2009036377A1 US 2008076297 W US2008076297 W US 2008076297W WO 2009036377 A1 WO2009036377 A1 WO 2009036377A1
Authority
WO
WIPO (PCT)
Prior art keywords
template
key
data
management system
message
Prior art date
Application number
PCT/US2008/076297
Other languages
English (en)
Inventor
Gregory Alan Powell
Jason James Dorsey
Dean Edward Mckee
Joachim Patrick Vance
Erik Scott Schetina
Original Assignee
Valicore Technologies, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Valicore Technologies, Inc. filed Critical Valicore Technologies, Inc.
Publication of WO2009036377A1 publication Critical patent/WO2009036377A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • the present invention relates to encryption systems, and more specifically, to template-based encryption management systems that provide encryption and secured messaging services to server-based applications.
  • a template-based encryption management system that manages, enforces, and supports secure communication between a server-based application and one or more client devices.
  • the template-based encryption management system handles the secure communication and management needs of server-based applications and frees the application developers from having to develop, manage, or update security features in their server-based applications.
  • the template-based approach provide a highly customable and accessible way for these applications to access security functionalities and features for the purpose of securely communicating to their network of client devices.
  • the calling applications provide input parameters and data in the form of a text-based template at runtime, and output in the form of encrypted and secured messages are either sent to the client devices automatically or returned to the calling applications.
  • the encryption management system provides a security boundary within which cryptographic keys and other sensitive data used to secure the communication are stored and protected from exposure.
  • the boundary also limits the attack surface of sensitive data that needs to be transmitted from the server-based calling applications to the client devices.
  • these security functionalities, including algorithms and keys are segregated to provide enhanced protection, the use of templates ensures that they can still be easily accessed and updated without recompiling the calling applications.
  • the template-based approach also enables the encryption management system to be extensible to support custom, specific cryptographic algorithms as well as custom keys needed by the calling applications.
  • the encryption management system provides a solution for embedded system device authentication, secure server-to-device communications, and encryption key management.
  • the encryption management system dramatically reduces implementation times and costs associated with using cryptography for authentication and data privacy with embedded systems applications.
  • the encryption management system can be broadly deployed in any application utilizing special function terminals or embedded system devices including entertainment, manufacturing, healthcare, government, and transportation venues where device authentication and data privacy is important.
  • One embodiment is a computer-implemented method for generating and sending a cryptographic key, the method comprising: receiving from a server-based application a request to generate and send the cryptographic key to a client device, the request sent in a template format that includes a plurality of parameters for generating a key pair from which the cryptographic key is obtained; executing a template for generating the key pair within a security boundary, the template comprising pre-defined data including a generation algorithm, a key size, and a plurality of key generation attributes; and retrieving a private key in an unencrypted form from the generated key pair to be sent as the cryptographic key to the client device specified by at least one of the parameters.
  • Another embodiment is a computer-readable medium having stored thereon executable code which, when executed by an encryption management system, causes the encryption management system to perform the method described in this paragraph.
  • Yet another embodiment is a computer system programmed to perform the method described in this paragraph.
  • Another embodiment is a computer-implemented method for applying cryptographic functions to a message, the method comprising: receiving a message and a plurality of parameters in a template format from an application server; applying a template to the message, the template comprising a transform element, the transform element specifying a list of functions among which is at least one cryptographic function that applies cryptographic processing to the message; and outputting the cryptographically processed message.
  • Another embodiment is a computer-readable medium having stored thereon executable code which, when executed by an encryption management system, causes the encryption management system to perform the method described in this paragraph.
  • Yet another embodiment is a computer system programmed to perform the method described in this paragraph.
  • the outputting step further comprises sending the cryptograph ⁇ cally processed message to one or more client devices specified by one of the parameters.
  • the sending step further comprises processing the cryptographic ally processed message in a secure channel algorithm.
  • the outputting step further comprises one of sending the cryptographically processed message to a peer application and returning the cryptographically processed message to the application server.
  • the functions described in the previous paragraph comprise a generate key function or a wrap key function.
  • the template in one embodiment further comprises one or more of a template name, an internal variable, an output variable, or a custom function. The internal variable may carry the output of a function to the input of another function.
  • the template in one embodiment is preloaded in binary form onto a secure object database.
  • FIG. 1 Another embodiment is a encryption management system for applying cryptographic functions to a message, the encryption management system comprising: a secure object database for storing a plurality of keys and objects; and a template engine that causes a template to be applied, within a security boundary, to data from a calling application to create a cryptographically processed output message, wherein the template uses the keys and objects stored in the secure object database, and wherein the template allows cryptographic functions to be accessed by the calling application through a consistent application programming interface.
  • Another embodiment is a method for encrypting product design data sent to workstations in a manufacturing line, the method comprising: constructing a template in response to a request to invoke the template from a workstation in the manufacturing line, the request including non-sensitive data used in the manufacturing a product device; executing the template to generate a unique image, the unique image comprising product design data used to program the product device; embedding a cryptographic keyset into the unique image; encrypting the unique image with a key associated with the product device; and sending the encrypted unique image to the workstation.
  • FIGS. 2A through 2D illustrate sample template operations in accordance with one embodiment.
  • FIG. 3 is a flow diagram of the "generate and send key” operation in accordance with one embodiment.
  • FlG. 4 is a block diagram illustrating the input and output data format of the "generate and send key" operation in accordance with one embodiment.
  • FIG. 5 is a flow diagram of the "wrap and send key” operation in accordance with one embodiment.
  • FIG. 6 is a flow diagram of a custom function in accordance with one embodiment.
  • FIG. 9 illustrates the hardware and software components of the encryption management system in accordance with one embodiment.
  • FIG. IA is a block diagram showing a sample data flow of the encryption management system and a sample application environment 100 for the encryption management system. Shown in the environment 100 is an application 110 that needs to communicate securely with a number of client devices 120 (e.g., 120A, 120B, 120C, 120D 5 etc.). In one embodiment, data 112 needs to be securely transmitted.
  • a financial application 110 residing on a server may need to transmit sensitive financial data to a number of terminals 120 (e.g., a stock broker's mobile computer).
  • a medical data server application 110 in a hospital may need to transmit patient data 112 to a number of handheld devices 110 used by hospital staff.
  • a manufacturing server application 110 may need to send product blueprint data 1 12 to robots/workstations 120.
  • one solution for secure communication between server application 110 and client devices 120 may involve the application 1 10 encrypting data and then sending it to client devices 120.
  • this configuration may require the programmers of the application 110 to expend much time and resources to develop and manage the encryption infrastructure.
  • the application 1 10 interfaces with an encryption management system 130 and allows the encryption management system 130 to manage the encryption and sending of data 1 12.
  • the application U O passes data (and references) 1 12 to a template 114 and applies that template to the data.
  • the template 1 14 is then sent to a template engine 134 within the encryption management system 130 for processing.
  • the template engine 134 may retrieve objects and keys from the secure object database 132 as needed.
  • the objects and keys are needed to process the template 114 as well as format and/or encrypt the resultant message 136.
  • the resultant message 136 is then sent to a secured channel engine 138 for further security enhancement.
  • the security enhancement readies the message 136 to be sent via an active security protocol through a network 140 to the one or more client devices 120.
  • the final encrypted message 148 containing data 112 is then sent to the client devices 120.
  • the operation of a template is further described in conjunction with Figure IB.
  • the encryption management system 130 provides a security boundary inside which security functionality can be scripted in a template.
  • a template is a configurable file or input mechanism through which variables, functions, and other data structures can be defined or referenced in accordance with an application programming interface (API).
  • API application programming interface
  • a server-based application 1 10 that needs to utilize the encryption management system can invoke the security functions defined in an API via a template.
  • the template architecture provides to any calling application, in the form of a consistent API, access to cryptographic functions internal to the encryption management system, as well as custom functionality implemented via extensible modules.
  • the encryption management system can receive data dynamically from the calling application via templates. This functionality is achieved by not fixing the number of parameters at the interface, but rather by determining the number of parameters through the template definition.
  • the calling of the template function supports a variable argument list.
  • templates also support the use of static data. Often, data needed in the execution of the template functionality will be fixed for every pass through of the template. As such, in one embodiment, the template architecture supports the ability to pass integer literals, string literals, and/or binary string literals as parameters to internal functions. Data concatenation allows pre-defined static data to be combined with variable data. The output from a concatenation can be used as the input to an internal function.
  • a security policy prevents sensitive data from being released beyond the security boundary unencrypted.
  • Template functionality is executed within the security boundary of the template-based encryption management system.
  • Binary- conversion of templates (template compilation) also ensures that no template functionality is executed outside of the security boundary and no sensitive data is revealed in the process.
  • the use of a security boundary also makes its possible to retrieve a sensitive cryptographic key in a template and then send that key over a secure channel where no encryption is applied (null secure channel).
  • the execution of the template prevents sensitive data from being processed and sent in the clear if a secure result is not ensured.
  • a template is a human readable text file with a predefined format that enables the external application 110 to pass instructions and data to the template engine 134.
  • a template can be constructed to perform data transformations, encryption management system modifications, or encryption management system queries. Construction of a template may involve defining the following optional components in a text file: (1) template parameters, (2) template operations, and (3) output binary structure. Figure IB shows the relationship among these three components in the context of template execution.
  • template parameters 152 serve as inputs to the template operations 154 that will be performed by the template engine 134.
  • the process of defining these parameters includes specifying each parameter's data type and labeling the parameter with a unique string identifier.
  • Template parameters allow the external application (1 10) to supply inputs into the template engine 134 during the invocation of the template 114.
  • Template operations are specified operations that the encryption management system 130 performs during execution of the template.
  • the set of valid template operations is defined by the encryption management system template language specification (i.e., the API).
  • Certain template operations are pre-defined and the external application 1 10 can specify in template operations 154 which of the pre-defined operations are to be executed.
  • template operations 154 may utilize data and/or objects 164 from the secure object database 132 in combination with template parameters 152 from application 110 and data that is built-in to the template environment (e.g., the current time).
  • the operations may involve performing cryptographic operations on a set of data (e.g., input data 1 12 embedded within template 1 14) using keys 166 stored in the secure object database 132.
  • a set of data e.g., input data 1 12 embedded within template 1 14
  • keys 166 stored in the secure object database 132.
  • the defined set of template operations is extensible using specially defined plug-ins that are tailored to the application 1 10 " s usage of the encryption management system.
  • the third optional component involved in the construction of a template is the output structure 156, which governs the binary structure of the output that is produced as a result of executing the template.
  • Template output may be sent to another entity connected to the encryption management system or it may be returned to the calling application 110.
  • the structure of the output data is defined by the template and can be fed by template inputs as well as from the results of template operations.
  • the secure channel engine 138 before the output leaves the encryption management system 130, it passes through the secure channel engine 138 to obtain additional security enhancements before transmission.
  • templates are imported into the encryption management system and registered inside the template engine 134 with a specific template ID number. Templates can be imported, replaced, or deleted within the encryption management system 130 at any time without requiring a restart or code change within the encryption management system environment.
  • a template follows the following life cycle. First, a template is created using a template construction tool that aids in assembling the template functionality, for instance through an easy to use GUI. Once the template is created, the template construction tool performs static analysis of the template to validate and ensure that the template has no obvious errors. Then, the validated template is loaded onto the encryption management system by an administrator. In one embodiment, loading a template into the encryption management system begins the template binary conversion process, which results in the template being stored into the secure object database. Once the template is in the secure object database, the template can be executed with one of the encryption management application API calls that utilize templates to create a message for delivery to the client device. Once in use, the template may undergo further testing and refinement, and may be deleted from the encryption management system by an administrator when it is no longer needed.
  • the external application 110 can utilize an application library to invoke a template using a template API call.
  • the external application 1 10 supplies the registered template ID and any parameters (e.g., template parameters 352) defined for that template. Behavior of the template invocation is further governed by the specific template API call used to invoke the template.
  • the template engine 134 supports at least the following API calls: • Send the output of the template as a message to a device - As shown in Figure 2A, in this template operation the external application 1 10 passes parameters to the template engine 134, which in turn generates a message that is processed by the secure channel engine 138 and sent to a device 120.
  • output data resulting from a template operation is sent to the secure channel engine 138 to secure the content within the output data using the currently active secure channel protocol.
  • data is not sent out or returned to the calling application without being processed with a secure channel encryption mechanism. This ensures that any critical security parameters contained with the output of the template (perhaps fetched from the secure object database 132 using a template operation) will not be extractable from the encryption management system in the clear.
  • existing objects 166 within the secure object database 132 can be referenced within a template by utilizing numeric identifiers called UselDs.
  • UseIDs uniquely identify specific types of objects at the application level as well as at the device level.
  • a template could have a UseID with a numeric value of "1' " that represents an asymmetric signing key, with the "P referencing the actual key stored within the secure object database 132.
  • this UseID is utilized in the encryption management system 130, it could be used within a template to reference a single application- wide signing key, or a device specific signing key that exists for every client device 120 in the secure object database 132.
  • one template functionality of the template-based encryption management system applies a secure-channel algorithm (through secure channel 138) to sensitive data that has undergone no other encipherment process but the security channel itself.
  • a secure-channel algorithm through secure channel 138
  • sensitive data that has undergone no other encipherment process but the security channel itself.
  • secure channel 138 One example case where this can be used is the case in which it is necessary to generate application-specific cryptographic keys and send them securely to a client device.
  • FIG. 3 illustrates the steps taken in a "generate and send key *1 operation while Figure 4 illustrates the data message format of the operation.
  • the server application e.g., application 110
  • the server application requires a new RSA key pair be generated and sent to a specific client device.
  • the RSA private key may be embedded in a specifically formatted message in order for the client device application to properly interpret it.
  • the server application makes an appropriate call in the encryption management system API.
  • the server application makes a SendBlockToDeviceViaTemplate() call, specifying the "generate and send RSA key " template that pre-defines the parameters 400 ( Figure 4) that are needed for generating an RSA key pair.
  • the server application provides three parameters 400 to the function call: (a) the device ID 404 of the client device to which the resultant message should be sent; (b) the prefix of the message 402 to be sent to the client device; and (c) the postfix of the message 406 to be sent to the client device.
  • the prefix 402 will be prepended to the key, while the postfix 406 will be appended to the key.
  • the template- based encryption management system executes the "generate and send key" template.
  • the template takes as input template defined data 410, system -provided data, and the device ID 404.
  • template defined data 410 additionally includes RSA generation algorithm 412, key size 414, and key generation attributes 416.
  • the system-provided data may additionally include an application ID 418.
  • This application ID 418 is used to indicate the ID of the application that is sending the message to the encryption management system, as one embodiment of the encryption management system supports handling messages from multiple applications on the server side being sent to remote client devices. Since it may be useful for a remote device to know the source of the message specifically down to the application that sent it, this application ID transmits the identity of the sending application to the remote device.
  • the template generates a RSA key pair, which includes a RSA public key 422 and a RSA private key 424 in one embodiment.
  • step 310 where the template retrieves the generated RSA private key 424, unwrapped and in the clear.
  • the template combines the prefix message 402, the RSA private key data 420, and the postfix message 406 to create a message block 136 to send to the target client device.
  • the template-based encryption management system applies the target client device's secure channel algorithm encipherment to the RSA private key message block 136 to create an encrypted message data block 148.
  • step 316 the template-based encryption management system sends the secured message block 148 containing the RSA private key 424 to the specified target client device.
  • This operation shows one advantage of executing the template within the security boundary.
  • the cryptographic key is retrieved in the clear to apply the secure channel algorithm to it for secure transport to the client device.
  • the cleartext sensitive data is protected until it is placed in an enciphered message format.
  • a common practice for handling cryptographic keys is to wrap (encipher) them before export. Because a wrapped key is not particularly sensitive, an application key or a client device key stored within the template-based encryption management system could be exported to the interfacing application (e.g., application 110 in Figure 1) in a wrapped form. There are at least two reasons for executing the wrapping functionality from within a template: convenience and extensibility. [0049] First, using an interface where several cryptographic calls must be made to wrap a key can often be very inconvenient to an interfacing application. The cryptographic sub-system must be initialized, the wrapping key must be retrieved, the target key to be wrapped must be retrieved, and the wrapping algorithm must be executed. Also, there are often complicated intermediate steps and parameters required.
  • Embodiments of the invention eliminate these inconveniences by providing key wrapping functionalities to the interfacing application's developer with a template and single API call.
  • the API call can be executed using a small number of parameters, allowing for the same key wrapping functionality to be accessed in a convenient interface with much less work and in a less complicated fashion.
  • a custom cryptographic wrapping function may be desirable.
  • extending the template-based interfacing application API to support custom algorithms and functionality is one of the advantages of templates.
  • a template can provide access to a custom wrapping function with a flexible parameter list appropriate to that function.
  • FIG. 5 shows the steps of the "wrap and send key” operation.
  • the encryption management system selects the wrapping (encipherment) key(s).
  • the encryption management system selects the target key to be wrapped (enciphered).
  • the encryption management system applies a standard or custom cryptographic wrapping algorithm to the target key using the wrapping key ⁇ s).
  • the encryption management system concatenates additional message data (which may include context or additional data) with wrapped key to generate a resultant message 136.
  • the encryption management system applies a secure channel algorithm encipherment to the message 136 containing wrapped key.
  • the encryption management system sends the secured message 148 to the specified client device.
  • This template-based operation makes an otherwise fairly complex sequence conveniently accessible to an interfacing application.
  • the interfacing application needs to provide only a small number of variable parameters required for the key retrieval and wrapping functions.
  • a template can provide for the specification of fixed parameters to the internal functions through string or binary literals. This reduces the number of parameters that the interfacing application needs to provide to the template thus also adds to the convenience of using a template rather than a direct interface to the internal functions of an encryption sub-system.
  • templates allow access to custom functionality without modifying the interfacing API.
  • a custom wrapping function may be used in the "wrap and send operation" described previously.
  • Figure 6 shows the steps of an example custom function operation.
  • a custom cryptographic function is used to protect external data with keys stored internally to the template-based encryption management system.
  • This operation also includes using external delivery of the secured message with the template functionality.
  • the encryption management system 130 imports sensitive data. This data (keying material or some other sensitive data) is passed via parameters to the template and may be protected by pre-shared or pre-trusted enciphe ⁇ nent keys between the encryption management system and the interfacing application.
  • the encryption management system selects the cryptographic key(s) to use with the custom cryptographic functions.
  • the encryption management system applies the custom cryptographic function to the imported sensitive data using the selected keys.
  • the encryption management system then applies the secure channel algorithm 138 to a message 136 containing sensitive data at step 608.
  • the encryption management system returns the secured message 148 to the interfacing application.
  • the interfacing application provides transport of secured message to the client device.
  • the encryption management system provides what is needed to communicate data to a client device (e.g., the application specific keys and the secure channel keys).
  • templates are able to import external data and apply cryptographic transforms with keys managed by the template-based encryption management system.
  • the encryption management system can be used in a manufacturing line environment.
  • a common problem encountered in the design and implementation of manufacturing line is the protection of sensitive product design data.
  • a workstation on an electronics manufacturing line is responsible for the programming of a firmware image into a chip (Flash. ASIC, CPLD, etc.).
  • the binary image that is to be programmed into the chip may contain unique product design data (e.g., cryptographic keysets, configuration data, software image, etc.) that should not be exposed during the programming process. Assuming that a single unique hardware key already exists within the device being programmed (e.g., the chip), only the device and the manufacturer should have access to this data.
  • the encryption management system can be used to protect this sensitive data.
  • Figure 7 illustrates the application.
  • a template is constructed that takes the non-sensitive components 704 of the firmware image as inputs from the workstation 702 that is invoking the template.
  • the template as executed (706) generates a unique image (which may contain cryptographic keysets, configuration data, software image, etc.) for each device/invocation of the template, and embeds this keyset into the firmware image for the device.
  • the template as executed (708) encrypts the entire image with the device unique hardware embedded key fetched from secure object database 132.
  • the finished output 710 is returned to the workstation 702 for programming of the device without exposing any of the unique image outside the cryptographic boundary 710 of the encryption management system 130.
  • the encryption management system can also be applied in the media content management context.
  • a typical setup involves a discrete piece of media content ⁇ audio, text, video, application, etc.) that has been encrypted with a keyset (e.g., a "Keyset A") in order to protect the media from unauthorized access during distribution.
  • a keyset e.g., a "Keyset A”
  • Keyset A is transmitted to the customer's location to allow them access to the media.
  • the same Keyset A is used to protect this asset with every customer who is entitled to the media.
  • the encryption management system is used to provide a solution to add security both at the point of distribution and at the point of termination of a media distribution context.
  • the application is shown in Figure 8.
  • a piece of hardware 834 e.g., a set top box
  • the hardware 834 can be considered as a client device 120 as previously shown in the general application Figure IA.
  • a media server 802 (e.g., a media server hosted by a cable TV provider) is tasked with distributing media content to the customer 800.
  • the customer 800 sends an entitlement request 832 to the media server 802.
  • the request may contain, for example, a request to download a movie.
  • the media server 802 sends a media stream 804 to the encryption management system 130.
  • the template execution results in a fetching operation 812 that fetches Keyset A from the secure object database 132.
  • the media stream is then encrypted with Keyset A at the process 814 (step 4a).
  • the encrypted media content 816 is sent to the customer hardware 834.
  • the media server sends an authorization 806 to the encryption management system 130.
  • the authorization 806 may result from the media server checking the customer's accounting or billing information to ensure that the customer 800 is entitled to download the media content.
  • the encryption management system 130 receives the authorization 806 via a template that is constructed to retrieve the unique customer key 834 and Keyset A 812 from the secure object database 132 at step 3b.
  • the template then performs a key wrap operation 822, wrapping Keyset A 812 with the customer unique key 834.
  • This wrapped Keyset A 824 is then distributed to the customer at step 5b.
  • the wrapped keyset is delivered at the time of media content entitlement.
  • step 6 to decrypt the encrypted media content, the customer loads the wrapped key into their hardware, where Keyset A is unwrapped with their unique customer key and used to decrypt the media content.
  • the template element is the root of the XML structure of the template.
  • Example attributes for the template element include: /Template/@name - This attribute specifies the name of the template that can be used to reference the template through the template-based encryption server application API.
  • External parameters passed to the template are specified in name and in type to be used as variables within the template. This is similar to the format parameter in a printf() function call which specifies the type of each parameter in the following parameter list.
  • the template API call can take a variable length parameter list and the parameter types in the list are specified in the template.
  • Example attributes for the template element include:
  • This element contains an ordered list of parameter elements. The order of the parameter elements will be used to interpret the variable length parameter list passed to the template.
  • This element specifies an external parameter passed to the template in via one of the template API calls in the variable length parameter list.
  • the attributes of this element specify the name and type of the parameter.
  • This attribute specifies the type of the parameter passed to the template. It is a string value. The type can be one of: “integer,” “string,' " “binary.”
  • Internal variables are used to pass the data from the output of template functions as a parameter to another template function. Internal variables do not need to be specified before use. However, it may also be desirable to define some internal variables in advance in order to determine its type or context.
  • the naming of an internal variable is the same as that of an external parameter.
  • Internal variable names are strings that begin with a hash ('#') character.
  • the type of the internal variable is the same as the type of the output parameter where that internal variable name is first used.
  • Internal variables are only assigned value by being specified as the output attribute of a function. Thus, an internal variable name is first specified as the output parameter from an internal function before it can be used as an input parameter to another function. If the internal variable's value is not set using an output parameter first, then subsequent use of the parameter will be considered an error since the value of the variable will not be set.
  • the "output" variable is specified as: #OUTPUT.
  • this internal variable is specified as the output parameter of a transforming function the data is then provided to the secure channel algorithm which is specified as part of the template API call.
  • Literals can be used for most any content and function parameter values in the template that can be fixed by the template designer. Literals can be used in most places that external parameters and internal variables can be used. Literals cannot be used as the value of output parameters if they are to be used elsewhere in the template.
  • String literals are specified using any ASCII printable character.
  • a string literal can be specified for any attribute or element content that takes a string type.
  • the value of the decryptionAlgoID attribute is a string literal.
  • An integer literal is similar to a string literal except that it contains only numerical characters from 0-9.
  • An integer literal can be specified for any attribute or element content that takes an integer type. Any non-numeric characters in an integer literal will cause an error if the type prevents it.
  • An integer literal will be interpreted as a string if the type calls for a string.
  • bitstring element in the concatenate function requires binary data.
  • binary data is specified by value the content is base64 encoded data.
  • Base64 data decodes as "[some message header]' " .
  • a template uses a transform element.
  • This element specifies an ordered list of functions that manipulate the incoming data passed through external parameters, literal data, and data output from the template functions to result in a single binary string value that is the result of the template.
  • the transform element specifies at least one internal function. For example, one internal function specifies the output variable which is the result of the transform.
  • This transform example wraps a key and then embeds the wrapped key with some literal data and external data.
  • the concatenate function contains the output variable as required for the transform element.
  • Functions within the template are specified by xml elements. Parameters to the function are specified as attributes or sub-elements. Most simple parameters of type string, integer, or binary string can be specified as attributes. More complex parameters whether complex types, objects, or arrays can be specified via sub-elements if they cannot be specified as an attribute in one of the basic types.
  • the template functionality provides a standard set of cryptographic and manipulative functions. These interface to these functions and their parameters are defined in the Template Functions section.
  • Some functions also specify one or more algorithms that are used in the execution of the function. As much as possible, the number of these algorithms is extended to support custom algorithms or un ⁇ mplemented algorithms without modifying the function interface.
  • Custom functions can be developed and accessed from within the template transform procedure. They follow the same guidelines as internal functions. External XML Schemas will be provided for these functions so that their specification in a template can also be statically validated before the template is executed.
  • a mechanism is also provided within the template- based encryption server to load the modules containing the custom functionality so that these custom functions are callable during the execution of the template. This allows external modules to be loaded into the encryption server without having to recompile the template- based encryption application itself. 6.7.3. Comments in Templates
  • Errors in template execution are returned to the calling application via an error code with well defined and meaningful return values.
  • Static errors are errors that can be discovered before execution of the template. These include, for instance, errors in template integrity, errors in type mismatch in external parameters and the function parameters to which they are passed, errors in type mismatch between internal variables and the function parameters to which they are passed, and errors in type mismatch in literals.
  • Dynamic errors are errors that occur during execution of the template. These include, for instance, errors in casting external parameters to defined types and errors in function execution.
  • This function imports sensitive key material or other data to be used by the template or stored internally to template-based encryption server. Because the key wrapping function works on an object ID, data is imported before wrapping.
  • outpulKeyID An output value of type object ID.
  • keyData Binary string representing the sensitive material or key to be imported. It can be an external parameter, internal variable, or a binary string literal.
  • decryptionKeyID If this is null it is assumed that the imported data is passed in the clear.
  • decryption A lgoID One of two string values, this parameter may be set to "AES,” "RSA,” or "NULL.' " If this is null it is assumed that the algorithm can be deduced from the type of the key specified in the deayptionKeyID parameter. decrypt!
  • the storage parameter specifies permanent storage, then the key will be stored in the encryption server database along with the optional parameters for future retrieval.
  • outputKeyJD An output value of type Object ID.
  • This attribute is specified as an internal variable.
  • genKeyAlgo Specifies the key algorithm to determine what type of key to generate. This attribute is of type string.
  • genKey ⁇ ttributes - This is an element that specifies attributes to use in the key generation algorithm. The format of the data is an attribute template specific to the key generation algorithm specified.
  • storage One of two string values, "temp " means the imported key or data is deleted at the end of the template execution, perm" means the imported key or data is stored in the encryption server for future use.
  • useID Specifies the useID to store the keypair to. In this embodiment, this is an existing useID created through the admin interface. If storage parameter is "perm" this param allows data or key to be found for future reference. Otherwise, it is ignored.
  • GenerateKeyPair will generate a public and private key data structure according to the key type specified and return one object ID handle each to the public and private keys to it to allow them to be used in other template functions.
  • the storage parameter specifies permanent storage
  • the key pair will be stored in the encryption server database along with the optional parameters for future retrieval.
  • outputPrivateKeyID An output value of type Object ID.
  • This attribute is specified as an internal variable.
  • outputPublicKeylD An output value of type Object ID.
  • This attribute is specified as an internal variable.
  • genKeyAlgo Specifies the key algorithm to determine what type of key to generate. This attribute is of type string.
  • genKeyAttributes This is an element that specifies attributes to use in the key generation algorithm. The format of the data is an attribute template specific to the wrapping algorithm specified.
  • This function wraps (enciphers) one key with another key using the specified algorithm.
  • the result is passed to the output parameter.
  • wrappingKeyID - A handle to the key to use when wrapping the target key. This should be specified as an internal variable. This can be returned from any of the FindKey, GenerateKey, GenerateKeyPair, and ImportKey functions. This attribute can be empty (optional) if the wrapping algorithm is specified as "NULL.
  • wrappingAlgoID The wrapping algorithm. In this embodiment, it may be one of "AES,” “RSA,” or “NULL. :; The NULL wrapping algorithm exports the key in the clear if the policy settings on the key allow it. If this is empty it is assumed that the algorithm can be deduced from the type of the key specified in the wrappingKeyID parameter. ⁇ vrappingAlgoAttributes - This is an element that specifies attributes to use in the wrapping algorithm. The format of the data is an attribute template specific to the wrapping algorithm specified.
  • This function is used to perform encryption on the specified plaintext data blob with the specified key.
  • the result of this operation is passed to the outputData parameter.
  • outputData The binary data that results form the encryption operation. This is specified as an internal template parameter or the template output parameter.
  • This parameter should be specified as an internal variable. This can be returned from any of the FindKey, GenerateKey, GenerateKeyPair, and ImportKey functions.
  • encryptionlV An initialization vector required by some (but not all) cryptographic encryption algorithms. If the encryption algorithm requires an IV, this value should be specified as a binary data blob internal variable or as a literal hex or base64 encoded string value.
  • encryptionAlgo A literal string value containing a value like "AESCBC " or "AESECB" that indicates the algorithm being used to encrypt the plaintext data.
  • plaintextData The data that is the input to this operation that will be encrypted. This is specified as an internal template parameter or as a literal hex or base64 encoded string value.
  • the concatenate function is used to combine data from multiple sources: external parameters, internal function results, and string literals.
  • the output of the concatenate function can either be an internal variable for use in another template function or the template output variable specifying the result of the template transform procedure.
  • the result attribute is specified as an internal variable. Alternatively, it is the template output parameter.
  • ⁇ bitstring> elements may be specified within the ⁇ Concatenate> element.
  • the value of a ⁇ bitstring> can be specified in two ways, either through the value of the element or through a content attribute.
  • the content can be specified in the value of the element.
  • the binary data in the element is encoded as a base64 text.
  • the ⁇ bitstring> content can be specified by an external or internal variable set through the content attribute on the ⁇ bitstring> element. If the content attribute is specified then any text in the element is ignored and discarded.
  • the variable is of type binary string.
  • /Concatenate/string - Specifies a string value.
  • the value of a ⁇ string> element can be specified in two ways, just as the bitstring element, through the value of the element itself as a string literal or through a variable passed via the content attribute of the string element.
  • the content can be specified in the value of the element.
  • the binary data in the element comprises ASCII printable string characters.
  • the ⁇ string> content can be specified by an external or internal variable set through the content attribute on the ⁇ string> element. If the content attribute is specified then any text in the element is ignored and discarded.
  • the variable is of type string.
  • J0102 The extensible nature of the template-based encryption server provides access to customer-specific algorithms and functionality without the need to modify the API.
  • Example 1 Examples of commands that utilize the template-based encryption server's API are given below:
  • Example 1 Examples of commands that utilize the template-based encryption server's API are given below:
  • FIG. 9 is a block diagram illustrating the encryption management system 130 in accordance with one embodiment.
  • the encryption management system 130 includes, for example, a personal computer that is IBM, Macintosh, or Linux/Unix compatible.
  • the encryption management system 130 comprises a server, a desktop computer, a laptop computer, a personal digital assistant, a kiosk, or a mobile device, for example.
  • the sample encryption management system 130 includes a central processing unit (“CPU") 1090, which may include one or more conventional microprocessors.
  • CPU central processing unit
  • the encryption management system 130 further includes a memory 1072, such as random access memory (“RAM”) for temporary storage of information and a read only memory (“ROM”) for permanent storage of information, and a mass storage device 1082, such as a hard drive, diskette, or optical media storage device.
  • the mass storage device 1082 may store the secure object database 132.
  • the components and modules of the encryption management system 130 are connected to the computer using a standard based bus system 1040.
  • the standard based bus system 1040 could be Peripheral Component Interconnect (“PCI”), MicroChannel, Small Computer System Interface (“SCSI”), Industrial Standard Architecture (“ISA”) and Extended ISA (“EISA”) architectures, for example.
  • PCI Peripheral Component Interconnect
  • SCSI Small Computer System Interface
  • ISA Industrial Standard Architecture
  • EISA Extended ISA
  • the functionality provided for in the components and modules of encryption management system 130 may be combined into fewer components and modules or further separated into additional components and modules.
  • the encryption management system 130 is generally controlled and coordinated by operating system software, such as Windows Server, Linux Server, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Vista, Unix, Linux, SunOS, Solaris, or other compatible server or desktop operating systems.
  • operating system software such as Windows Server, Linux Server, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Vista, Unix, Linux, SunOS, Solaris, or other compatible server or desktop operating systems.
  • the operating system may be any available operating system, such as MAC OS X.
  • the encryption management system 130 may be controlled by a proprietary operating system.
  • Conventional operating systems control and schedule computer processes for execution, perform memory management, provide file system, networking, I/O services, and provide a user interface, such as a graphical user interface ("GUI”), among other things.
  • GUI graphical user interface
  • the sample encryption management system 130 includes one or more commonly available input/output (I/O) devices and interfaces 168, such as a keyboard, mouse, touchpad, and printer.
  • the I/O devices and interfaces 168 include one or more display device, such as a monitor, that allows the visual presentation of data to a user. More particularly, a display device provides for the presentation of GUIs, application software data, and multimedia presentations, for example.
  • the encryption management system 130 may also include one or more multimedia devices 1062, such as speakers, video cards, graphics accelerators, and microphones, for example.
  • the computing system may not include any of the above-noted man-machine I/O devices.
  • the I/O devices and interfaces 1068 provide a communication interface to various external devices.
  • the encryption management system 130 is electronically coupled to the network 140, which may comprise one or more of a LAN, WAN, or the Internet, for example, via a wired, wireless, or combination of wired and wireless, communication link 1063.
  • the network 140 facilitates communications among various computing devices and/or other electronic devices via wired or wireless communication links.
  • the encryption management system may use network 140 to communicate with the application 1 10 and the client devices 120.
  • data from external application 110 may be sent to the encryption management system 130 over the network 140. Similarly, results maybe returned over the network 140 to client devices 120.
  • the encryption management system 130 may communicate with other data sources or other computing devices.
  • the data sources may include one or more internal and/or external data sources.
  • one or more of the databases, data repositories, or data sources may be implemented using a relational database, such as Sybase, Oracle, CodeBase and Microsoft® SQL Server as well as other types of databases such as, for example, a flat file database, an entity-relationship database, and object-oriented database, and/or a record-based database.
  • the encryption management system 130 may also include a encryption module 1050 to process encryption functionalities described herein and a template engine module 1066 to process and handle the template execution, both of which may be executed by the CPU 1090.
  • the encryption module 1050 and the template engine module 1066 may be implemented as one or more modules, which may include, by way of example, components, such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables.
  • the one or both of the modules may be implemented as separate devices, such as computer servers.
  • the encryption management system can be implemented by multiple physical computers that are interconnected, with different encryption management functions or tasks optionally handled by different machines.
  • module, 7 refers to logic embodied in hardware or firmware, or to a collection of software instructions, possibly having entry and exit points, written in a programming language, such as, for example, Java, Lua, C or C++.
  • a software module may be compiled and linked into an executable program, installed in a dynamic link library, or may be written in an interpreted programming language such as, for example, BASIC, Perl, or Python. It will be appreciated that software modules may be callable from other modules or from themselves, and/or may be invoked in response to detected events or interrupts.
  • Software instructions may be embedded in firmware, such as an EPROM.
  • hardware modules may be comprised of connected logic units, such as gates and flip-flops, and/or may be comprised of programmable units, such as programmable gate arrays or processors.
  • the modules described herein are preferably implemented as software modules, but may be represented in hardware or firmware. Generally, the modules described herein refer to logical modules that may be combined with other modules or divided into sub-modules despite their physical organization or storage.
  • AU of the methods and processes described above may be embodied in, and fully automated via, software code modules executed by one or more general purpose computers or processors.
  • the code modules may be stored in any type of computer-readable medium or other computer storage device. Some or all of the methods may alternatively be embodied in specialized computer hardware.
  • the components referred to herein may be implemented in hardware, software, firmware, or a combination thereof.
  • Conditional language such as, among others, “can,” “could,” “might,' “ or “may,” unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or steps. Thus, such conditional language is not generally intended to imply that features, elements and/or steps are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without user input or prompting, whether these features, elements and/or steps are included or are to be performed in any particular embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Le système de gestion de chiffrement (130) selon l'invention fournit une solution pour une authentification de dispositif de système intégré, des communications sécurisées de serveur à dispositif, et une gestion de clé de chiffrement. Il réduit les temps de mise en œuvre et les coûts associés à l'utilisation de la cryptographie pour l'authentification et la confidentialité des données avec des applications de systèmes intégrés en libérant les développeurs d'applications des tâches de développement, de gestion ou de mise à jour de caractéristiques basées sur la sécurité dans leurs applications à base de serveur. L'approche basée sur un modèle du système fournit des fonctionnalités de sécurité personnalisables et accessibles. Pour utiliser des services fournis par le système de gestion de chiffrement dans certains modes de réalisation, des applications d'appel (110) fournissent des paramètres d'entrée et des appels de fonction sous la forme d'un modèle (114) lors de l'exécution, et la sortie sous la forme de messages chiffrés et sécurisés (148) est envoyée soit aux dispositifs de client (120) automatiquement ou renvoyée aux applications d'appel (110). A ce titre, les fonctionnalités et les objets de sécurité, bien que séparés dans le système de gestion de chiffrement pour fournir une protection améliorée, peuvent encore faire facilement l'objet d'un accès et peuvent être mis à jour sans devoir recompiler les applications d'appel.
PCT/US2008/076297 2007-09-14 2008-09-12 Systèmes et procédés pour un système de gestion de chiffrement basé sur un modèle WO2009036377A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US97269707P 2007-09-14 2007-09-14
US60/972,697 2007-09-14

Publications (1)

Publication Number Publication Date
WO2009036377A1 true WO2009036377A1 (fr) 2009-03-19

Family

ID=40452550

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2008/076297 WO2009036377A1 (fr) 2007-09-14 2008-09-12 Systèmes et procédés pour un système de gestion de chiffrement basé sur un modèle

Country Status (2)

Country Link
US (1) US20090077371A1 (fr)
WO (1) WO2009036377A1 (fr)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9355267B2 (en) * 2009-03-26 2016-05-31 The University Of Houston System Integrated file level cryptographical access control
US9946768B2 (en) * 2010-11-02 2018-04-17 Microsoft Technology Licensing, Llc Data rendering optimization
US11418580B2 (en) * 2011-04-01 2022-08-16 Pure Storage, Inc. Selective generation of secure signatures in a distributed storage network
US9817807B1 (en) * 2011-08-23 2017-11-14 Amazon Technologies, Inc. Selecting platform-supported services
US8479019B1 (en) * 2011-12-13 2013-07-02 Unisys Corporation Cryptography for secure shell in emulated environments
CA2799514A1 (fr) 2011-12-28 2013-06-28 Superna Business Consulting, Inc. Systeme, methode et dispositif de reseau de chiffrement
CN102752398B (zh) * 2012-07-18 2015-09-09 腾讯科技(深圳)有限公司 解析流量值的方法、终端、服务器及系统
WO2017087822A1 (fr) * 2015-11-18 2017-05-26 Level 3 Communications, Llc Système d'activation de service
US10778435B1 (en) * 2015-12-30 2020-09-15 Jpmorgan Chase Bank, N.A. Systems and methods for enhanced mobile device authentication
US10498747B1 (en) * 2016-06-23 2019-12-03 Amazon Technologies, Inc. Using program code with a monitoring service
US11349659B2 (en) * 2017-08-29 2022-05-31 Amazon Technologies, Inc. Transmitting an encrypted communication to a user in a second secure communication network
US11095662B2 (en) 2017-08-29 2021-08-17 Amazon Technologies, Inc. Federated messaging
US11368442B2 (en) * 2017-08-29 2022-06-21 Amazon Technologies, Inc. Receiving an encrypted communication from a user in a second secure communication network
US10402320B1 (en) * 2018-02-27 2019-09-03 Oracle International Corporation Verifying the validity of a transition from a current tail template to a new tail template for a fused object
CN113225305A (zh) 2021-02-16 2021-08-06 蒋云帆 智慧密码中心及其泛客户端实现
US12041164B2 (en) * 2021-09-10 2024-07-16 International Business Machines Corporation Encryption key hybrid deployment management
CN114302269B (zh) * 2021-12-17 2024-04-09 博为科技有限公司 Onu接入方法、装置、存储介质及电子设备
CN114338010B (zh) * 2021-12-31 2024-02-20 深圳昂楷科技有限公司 一种数据库密钥交换方法、装置及电子设备
CN114443161B (zh) * 2021-12-31 2024-05-28 北京达佳互联信息技术有限公司 一种应用对接方法、装置、设备及存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030204732A1 (en) * 2002-04-30 2003-10-30 Yves Audebert System and method for storage and retrieval of a cryptographic secret from a plurality of network enabled clients
US20040054893A1 (en) * 2002-09-18 2004-03-18 Anthony Ellis Method and system for a file encryption and monitoring system
US20070136361A1 (en) * 2005-12-07 2007-06-14 Lee Jae S Method and apparatus for providing XML signature service in wireless environment
US20070174196A1 (en) * 2006-01-26 2007-07-26 Christoph Becker System and method for verifying authenticity

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6820198B1 (en) * 1998-09-01 2004-11-16 Peter William Ross Encryption via user-editable multi-page file
US7549060B2 (en) * 2002-06-28 2009-06-16 Microsoft Corporation Using a rights template to obtain a signed rights label (SRL) for digital content in a digital rights management system
US20040083373A1 (en) * 2002-10-28 2004-04-29 Perkins Gregory M. Automatically generated cryptographic functions for renewable tamper resistant security systems
US20040168119A1 (en) * 2003-02-24 2004-08-26 David Liu method and apparatus for creating a report
US7533273B2 (en) * 2003-03-19 2009-05-12 Broadcom Corporation Method and system for controlling an encryption/decryption engine using descriptors
US7672460B2 (en) * 2004-01-22 2010-03-02 Nec Corporation Mix-net system
WO2006015182A2 (fr) * 2004-07-29 2006-02-09 Infoassure, Inc. Niveau d'acces aux objets
US20080025497A1 (en) * 2005-06-28 2008-01-31 Ogram Mark E Multiple key encryption with "Red Herrings"
EP1777961A1 (fr) * 2005-10-19 2007-04-25 Alcatel Lucent Outil de configuration de contenus et système de gestion de la distribution
FR2905216B1 (fr) * 2006-08-25 2009-03-06 Thales Sa Procede de personnalisation d'un composant de securite, notamment en milieu non protege
US20080165970A1 (en) * 2007-01-05 2008-07-10 Chung Hyen V runtime mechanism for flexible messaging security protocols

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030204732A1 (en) * 2002-04-30 2003-10-30 Yves Audebert System and method for storage and retrieval of a cryptographic secret from a plurality of network enabled clients
US20040054893A1 (en) * 2002-09-18 2004-03-18 Anthony Ellis Method and system for a file encryption and monitoring system
US20070136361A1 (en) * 2005-12-07 2007-06-14 Lee Jae S Method and apparatus for providing XML signature service in wireless environment
US20070174196A1 (en) * 2006-01-26 2007-07-26 Christoph Becker System and method for verifying authenticity

Also Published As

Publication number Publication date
US20090077371A1 (en) 2009-03-19

Similar Documents

Publication Publication Date Title
US20090077371A1 (en) Systems and methods for a template-based encryption management system
CA2892874C (fr) Systeme et methode de partage de ressources cryptographiques sur plusieus dispositifs
US8751788B2 (en) Payment encryption accelerator
US10389728B2 (en) Multi-level security enforcement utilizing data typing
US20100185862A1 (en) Method and System for Encrypting JavaScript Object Notation (JSON) Messages
US8495383B2 (en) Method for the secure storing of program state data in an electronic device
US10110575B2 (en) Systems and methods for secure data exchange
US11323251B2 (en) Method and system for the secure transfer of a dataset
US10826693B2 (en) Scalable hardware encryption
US20170170952A1 (en) Format-preserving encryption of base64 encoded data
US12099637B2 (en) Secure device programming system with hardware security module and security interop layer
US20200159709A1 (en) Supporting secure layer extensions for communication protocols
CN107920060A (zh) 基于账号的数据访问方法和装置
Halpin The W3C web cryptography API: motivation and overview
CN113420313A (zh) 程序安全运行、加密方法及其装置、设备、介质
Nassar et al. Secure outsourcing of matrix operations as a service
Hwang et al. An operational model and language support for securing XML documents
CN114584378A (zh) 数据处理方法、装置、电子设备和介质
Roulet-Dubonnet Python OPC-UA Documentation
CN111078224A (zh) 软件包文件数据处理方法、装置、计算机设备及存储介质
KR101979320B1 (ko) 메타정보 및 엔터프라이즈 프레임웍을 이용한 암호화 sql문 자동 생성 시스템 및 방법
CN113141329A (zh) 大数据挖掘方法、装置、设备和存储介质
CN115378998B (zh) 服务调用方法、装置、系统、计算机设备和存储介质
US12362907B2 (en) Format-preserving data encryption
CN117932565A (zh) 一种基于非对称密码体系的授权控制方法及系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08830110

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08830110

Country of ref document: EP

Kind code of ref document: A1